c e n s u s : Posts

Linux kernel SUNRPC off-by-two buffer overflow

[ posted by argp on 01.12.2009 ]

census ID:	census-2009-0005
Affected Products:	Linux kernel versions from 2.6.32 to 2.6.32-rc7.
Class:	Off-by-two stack buffer overflow.
Discovered by:	Patroklos Argyroudis

We have found an off-by-two stack buffer overflow in the Linux kernel SUNRPC implementation. Linux kernel versions from 2.6.32 to 2.6.32-rc7 are affected.

CVE-2008-3531: FreeBSD kernel stack overflow exploit development

[ posted by argp on 02.07.2009 ]

About four months ago I developed a reliable exploit for vulnerability CVE-2008-3531, which is also addressed in the advisory FreeBSD-SA-08:08.nmount. In this post I will use this vulnerability to provide an overview of the development process for FreeBSD kernel stack exploits.

CVE-2008-3531 is a kernel stack overflow vulnerability that affects FreeBSD versions 7.0-RELEASE and 7.0-STABLE, but not 7.1-RELEASE nor 7.1-STABLE as the CVE entry seems to suggest.

FreeBSD kernel stack overflows

[ posted by argp on 20.02.2009 ]

Last May (2008/05/30) I presented my research on FreeBSD kernel stack overflows at the University of Piraeus Software Libre Society, Event #16: Computer Security. The slides from the talk are now available in our research section.

FreeBSD kernel debugging

[ posted by argp on 19.01.2009 ]

The FreeBSD kernel can be debugged with the ddb(4) interactive kernel debugger. Although the latest production release of FreeBSD (7.1 at the time of this writing) adds some very useful features, ddb is still lacking the flexibility of gdb.

The FreeBSD developer’s handbook has a section on kernel debugging using remote gdb, but it is not directly applicable to VMware-based installations. The solution is to use VMware’s feature of creating virtual serial ports as named pipes to emulate a serial connection between two FreeBSD virtual machines.